Note: This is a guest article by Win-Tech, a leading voice from the Defense Industrial Base (DIB) (e.g., someone who just wants to make parts). Win-Tech is a veteran-owned small business (VOSB) with in-house machining and fabrication capabilities. They are a US-based custom, build-to-print, aerospace and defense machine shop.

It seems like we have all sorts of apps and resources to translate one language to another, but there is one type of language that is regularly misunderstood:

The words from a stressed small business manufacturer already behind in security and compliance.

As a small business manufacturer, I hope to help interpret some of these regularly-misinterpreted or mis-communicated war-cries, excuses, and just general stances you may hear in the Defense Industry Base (DIB), and attempt to bridge the gap between the words that are uttered and the meaning behind them.

With each statement comes a community or shared resource, offering support to someone who may be asking that very question – fed up, confused, and overwhelmed.

You aren’t alone! Now, get to work.

10. “I don’t have the people to manage all of this. How do you expect me to be an IT subject matter expert, too?”

This one is rather straightforward.

For decades, small business manufacturers have had priorities laid out to them quite clearly: Supply the conforming parts on time to a customer, and on budget.

Now, small businesses hear the battle-cry of security and compliance and we throw up our hands. You can hear the grumbling: “I’m an expert in manufacturing your part. You want conforming parts on time, we negotiate on price and lead time, and now you want me to also become an expert in something that you’ve never made part of the incentive until now?”

I mean, can you really blame the manufacturer in this?

It’s overwhelming, thinking another layer of expertise must be built into day-to-day management of working in the defense industry. So, if you are a manufacturer, where do you start?

Start with illustrating your workflow.

Heck, being in the DIB, you are likely already ISO9001 or AS9100 Certified, so you probably have some sort of workflow defined.

Now, use that workflow and look at it with the data you use from your customer, and the product you create, in mind.

When you have that complete, identify all the places that technology is used – workstations, phones, printers, copy machines.

Observe how your data flows through all of these things.

Look at you! You’ve essentially scoped your environment and have a better idea as to just how CMMC and other regulations may impact your business.

Do you feel like an expert yet?

No? Okay, good. Then you’re doing it right.

Resources:

• ComplianceForge’s Unified Scoping Guide
• Asana’s Guide to Process Mapping: Definition, how-to, and tips
• Lucid Chart: Process Mapping
• Business Process Workflow Templates

9. “I don’t even know if the data I have has to be protected.”

It is not surprising that small business manufacturers are often at a loss right from the start. When was the last time you saw clearly identified Controlled Unclassified Information (CUI)?

Small business manufacturers operating in the DIB may regularly see data marked Customer Proprietary, or ITAR/Export Controlled. Clearly marked CUI? Likely, no.

In an environment where standards, rules, identification, and traceability are everything, why are we setting up small business manufacturers for failure?

Granted, there can be CUI that is created at the small business itself, but that still begs the question: How often are clear instructions flowed down to facilitate the identification and marking of the data? How does a small business know when new CUI data is “born” in their own environments?

Fortunately, there are community resources out there that support small businesses to do the work that honestly should have been done at the time the data was created before it hit their door.

Resources:

• DOD CUI Training (Mandatory for DoD Contractors, but many SMBs incorporate it into their internal training, as well).
• NARA CUI Training
• CUI Marking Registry Tool from BDO
• ITAR Reference Sheet from the COA
• Ryan Bonner: How to know if you have CUI, CS2 Video

8. “We’ve never been hacked before. We’re fine.”

Have you ever watched a baseball game on TV, when the pitcher is throwing a no-hitter in the 8th inning and the announcer points out that the pitcher is pitching a no-no? The next pitch is always a meatball and the batter connects for a base hit.

Just because your services haven’t been disrupted doesn’t mean you haven’t been compromised.

Of course, there are plenty of times that businesses are compromised and it is relatively simple to find the source of the compromise:

In 2021, a Barracuda Networks study found that, on average, an employee of a small business with less than 100 employees will experience 350% more social engineering attacks than an employee of a larger enterprise.

That was 3 years ago. Any idea on how much more that chance is now?

Resources:

• National Defense-ISAC: Securing Small Business Manufacturing Supply Chain Resource Handbook
• CISA: Cybersecurity Best Practices
• NIST: Small Business Cybersecurity Case Study Series
• FCC: Cyber Planner for SMBs

7. “We don’t have that flow-down. Never have.”

The amount of legalese a small business manufacturer is often asked to accept on paper for a simple machined part – often one that resembles a commercial off the shelf (COTS) component – can be mind-boggling.

In some cases, the flow-down is warranted. In other cases, the flow-down is blindly copied and pasted from one buyer to a supplier. “Rather be safe and include everything, right?” you can practically hear the justification as you read through the copy of the copy of the copy.

A reminder to anyone guilty of promoting that mentality: When everything is a priority, nothing is a priority.

Contracting Officers and Purchasing Agents are not Engineers. It is crazy to think that data shared between supply chain links is always shared by data subject matter experts, and thus, flow-down applicability fully understood along the way.

Unfortunately, that does not stop flow-down from being passed down when not actually applicable – or accurate.

As for my fellow small business manufacturers: Without truly sitting down and looking for key references, clauses, and acronyms, you may have accepted the flow down without even realizing it.

When was the last time you truly read through your customer’s Terms and Conditions, or Quality Codes? Is it possible there is more flow down lurking beneath?

Resources:

• Defense Federal Acquisition Regulation Supplement
• FAR: 52.204-2
• NIST SP 800-171
• DoD CIO’s Office: CMMC
• COA Template: Memorandum of Record for non-applicable clauses
• Christoph Milnarchik’s Books: Government Contracts in Plain English, Federal Acquisition Regulation in Plain English, Government Contracts Negotiation Simplified

6. “Well, then, if I have to do all of this, I’m just going to stop doing business in the DIB.”

Yes, that’s totally an option, and I suspect some companies will do this.

Commercial work in the manufacturing world is a tough business to be in, too. Profit margins are tight because you are often competing with overseas labor or shops who have long-perfected the art of quick production runs and relying on high-volumes to make ends meet.

If you are considering leaving the Defense Industry Base (DIB) specifically because of the costs of compliance to security frameworks like CMMC, I urge you to sit down and analyze the costs you believe you’ll incur, and what you’ll gain in revenue as a result.

For some, it really is a no-brainer to leave. To others, it’s the reason to stick around.

Resources:

• The Last Supper: How a 1993 Pentagon dinner reshaped the defense industry
• DoD Report: State of Competition within the Defense Industrial Base
• COA: CMMC Assessment Tool
• CMMC+ Gap Assessment Tool
• Kieri Solutions Blog Article: Are you ready for a CMMC Assessment?

5. “We have a firewall. It’s fine.”

Yesterday’s firewall is no longer good enough for today’s network defenses.

Oh, and while we’re at it – who manages your firewall? Your neighbor’s cousin’s boyfriend?

Unfortunately, if you have certain technologies in your business process flow, and those certain technologies have been around a while, you may be faced with a long list of vulnerabilities, end-of-life support, or flat out not allowed in your environment due to Section 889.

We’ll save the chat about FedRAMP and cloud service providers for another day – that’ll only depress you.

Resources:

• FAR: Section 889
• NDIA’s Explanation of Section 889

4. “I have much more pressing needs.”

I get it, I really do. When you’re a small business manufacturer, there are ten other fires happening at any point in time.

That large purchase order from a new customer that you just accepted? The machine you were counting on just had a tooling malfunction and the technician is booked for the next 4 weeks.

That backlog you have? You can’t hire people quickly enough.

The CNC programmer you hired two weeks ago? He doesn’t get along with the other one and you have had them both in your office twice in the last week.

Stick to what you are good at. Talk to a professional but talk to references before pulling the trigger.

Resources:

• ND-ISAC: DIB MSP Shopping Guide for SMB
• COA: CMMC Practitioners

3. “We’re a small fish in a big pond. No one wants what we have. They’re going after the big guys.”

Think about what your targets would be if you were in the business of finding out what other countries were developing and manufacturing. Would you go after the Chinese Government, or would you go after a small machine shop who is working on something for a larger company, who is doing business for the Chinese Government?

Okay, arguably, all of those supply chain links are the Chinese Government, but I think you see the point.

Large Primes have strong defenses. They have resource that support the protection of important data. Often, they’ll take that important data and send it to you, the small business manufacturer.

Who protects that data?

You.

Resources:

• YouTube: How China Steals U.S. Military Technology
• CISA Advisory, 2022: Russian State-Sponsored Cyber Actors…
• BBC: Cyber-attacks on small firms

2. “The rules change too quickly for me to keep up. I’ll just wait on CMMC 3.0.”

There is no mandate that says you must be perfect [to CMMC] today.

If you are attesting compliance to NIST 800-171 via DFARS 252.204-7012, you’ll definitely want to talk to your Managed Service Provider (MSP) or IT Department before signing off on a perfect 110 in SPRS.

Be better than you were yesterday. To do that, you have to start somewhere.

When the Grizzly Bear is hungry and chasing you, the idea is to just not be the slowest runner. Don’t be the lowest hanging fruit.

Stay engaged in the community, or at least check in more frequently than you have been doing.

Resources:

• Discord Community: https://cooey.life

1. “I just want to make parts.”

Same, man. Same.